Download: 3.11.0
Documentation: 3.11.0
Release highlights
Java 21
The language level used for Gerrit source code stays on Java 17
, however, Gerrit
is built and distributed for Java 21
, which is the recommended JVM version for
running it in production.
Enforce project configuration changes for code review
It is now possible to enforce project configuration changes for code review, ensuring modifications
are reviewed and approved before integration (by setting
gerrit.requireChangeForConfigUpdate=true
).
This feature, together with a dedicated set of endpoints such as
/projects/myproject/access:review
, /projects/myproject/labels:review
,
/projects/myproject/submit_requirements:review
and
/projects/myproject/config:review
, allows to prevent that any project configuration changes is
submitted without code review.
New maintenance APIs
Some maintenance operations can be configured in gerrit.config
to be executed at a specific time.
However, this might not always be wanted or could even lead to issues in setups where multiple
Gerrit instances with the same configuration try to perform the operation concurrently.
To work around this problem, for some specific operations, one can now explicitly call dedicated REST API on demand, specifically: Clean up of stale changes and Clean up of stale accounts.
New metrics
The new receivecommits/reject_count
set of metrics to count the number of rejected pushes has been
added. This is useful to monitor push errors over time and the reason of their failure.
Additionally one can explicitly set performance.metrics to record latency and counts of specific operations.
Please bear in mind that the above metrics can quickly build up in number, eventually increasing the
latency and the size of collecting metrics payloads via to monitoring such as prometheus
.
New Submit requirements
Submit requirements now support WANT_LGTM=all
functionality, enabling changes to be submittable
only when all human reviewers have approved. The new syntax
label:Code-Review>=1,users=human_reviewers
can be used in submit requirement expressions to
match changes approved by all reviewers.
Additionally, WANT_LGTM=all
can be configured to apply automatically to all changes or selectively
enabled for changes containing a specific footer (e.g., Want-Code-Review: all
), allowing users to
require unanimous approval on demand.
Important Notes
Schema and index changes
No changes to either the schema or indexes versions.
Online index schema upgrade from 3.10
If you’re upgrading from 3.10
, the Lucene index does not need any rebuild.
If you’re upgrading from 3.9
, the Lucene index is automatically rebuilt upon Gerrit startup after
the upgrade.
However, if you’re upgrading from 3.8
or an earlier version, you must use the Offline
upgrade steps below, because of the Lucene upgrade mentioned in the
3.8
release notes.
Offline upgrade
- Download the new
gerrit.war
- Stop Gerrit
- Backup the existing indexes in case a rollback is required
- Ensure all installed plugins are compatible with the new API
- Run init
java -jar gerrit.war init -d site_path --batch
-
If you are upgrading from a
3.9
/3.10
versions you don’t need to run reindex (seeOnline index schema upgrade from 3.10
above).If you are upgrading from a
3.8
or an earlier version, you must run a reindex of all indexes:java -jar gerrit.war reindex -d site_path
See the reindex command for other options.
Online upgrade with zero-downtime
Gerrit v3.11.x supports zero-downtime upgrade from Gerrit v3.10 when configured using either high-availability or multi-site setup.
During the zero-downtime upgrade, Gerrit end-users will not experience any outage or service disruption and will be able to perform any read/write Gerrit operation seamlessly.
The zero-downtime upgrade process for high-availability or multi-site setups consists of the following steps (demo):
- Have Gerrit servers running v3.9 or v3.10 in high-availability or multi-site configuration, healthy and able to handle the incoming traffic properly.
- Set one of the Gerrit servers to unhealthy.
- Shutdown the Gerrit server, update gerrit.war and plugins to v3.11.x and start Gerrit again.
- Verify that the Gerrit server is working properly (e.g. run automated smoke tests) and then make it healthy again.
- Ensure the Gerrit server is fully caught up with the events that happened while it was down before directing traffic to it.
- Repeat steps 2 to 5 for each of the remaining Gerrit servers.
Downgrade
Downgrade to Gerrit v3.9 or v3.10 release is possible, but requires the following manual steps:
- Shutdown all migrated Gerrit servers
- Update the gerrit.war and plugins to the previous v3.9 or v3.10 version
- Init Gerrit
java -jar gerrit.war init -d site_path --batch
- Startup Gerrit server
Native packaging
Almalinux
distribution updated9.4
.Ubuntu
distribution updated tov24.04
.
Security Fixes
-
Change 435557: Add Option to set HttpOnly flag for cookies.
This option helps to prevent possible XSS-attacks.
-
Change 435998: Change default of auth.cookieHttpOnly to true.
This makes the
auth.cookieHttpOnly
cookie more secure by default as there should usually be no need to allow client side javascript to access it. -
Change 435960: Don’t allow discovery of non-visible groups.
A user could have used the
ls-members
command to distinguish between a non-existent group and an existent but not visible group. This fixes that.
Known issues
-
Issue 309098227 Change 360646: The introduction of a per-request ref cache for better performance may break the repository consistency
The addition of a new
core.usePerRequestRefCache
setting, true by default, introduced a per request (currently per request thread) ref cache, helping reduce the overhead of checking if the packed-refs file was outdated. However, in some scenarios, such as multi-site or concurrency betweengit-receive-pack
andgit-gc
, it may lead to split-brain inconsistencies and, in the worst-case scenario, to the corruption of the underlying repository. -
Issue 380898784: The new
changes_by_project
cache will make thegit-upload-pack
fail intermittently on projects containing one or more inconsistent changes.The introduction of the
changes_by_project
cache is incompatible with projects having one or more inconsistent changes, like changes with /meta refs coming from unexpected Gerrit serverId. The cache makes thegit-upload-pack
fail intermittently with internal server errors when it fails to load the change meta-data depending on the status of the cache. As a workaround, disable thechanges_by_project
cache as follows ingerrit.config
:[cache "changes_by_project"] memoryLimit = 0
Breaking Changes
-
Change 434037: Disallowed tracing configs that trigger tracing for too many requests
When using a
tracing.<trace-id>
subsection ingerrit.config
one must now specify at least one ofrequestUriPattern
,account
andprojectPattern
, or otherwise it is ignored. -
Change 429818, Change 429819 and Change 429820: Removed etags for
change
,revision
andListFiles
resources.Any REST clients built expecting that ETags exist and that rely on them for workflows, may require modifications.
-
Change 442068: Do not notify listeners when performing online reindexing
Breaking Changes - Replication plugin
-
Change 430660 Prevent replication plugin start with invalid remotes:
Allow the Gerrit admin to detect early a configuration issue with the remotes. Upon invalid remotes configuration the plugin will not start and an error will be thrown:
Unable to start replication plugin because remote
. -
Issue 320715545 Use SecureStore for reading username/password credentials
Use SecureStore for reading username/password credentials. Existing installations may have used a mix of encrypted and clear text credentials in
secure.config
, leveraging the replication plugin bug that was not accessing it using the correct API. Introduce a legacy feature flaggerrit.useLegacyCredentials
that allow the Gerrit admin to still use the legacy mode.
New Features
-
Change 409734: New REST API endpoint for deactivating stale accounts.
You can now
POST /config/server/deactivate.stale.accounts
to trigger account deactivation outside the time window scheduled ingerrit.config
. -
Change 421120: A
Blocked Users
group that allows admin to block spammers is created automatically during the site initialisation.This change makes it easier to block spamming users by automatically creating the
Blocked Users
group with theBLOCK
read permissions onrefs/*
. All admins need to do to block users is adding them to the group. -
Issue 317351858: Submitting changes with unresolved comments is blocked for new sites by default
-
Change 420300: Added REST API to clean old changes.
You can now
POST /config/server/cleanup.changes
to abandon changes older than some given time outside the time window scheduled ingerrit.config
. -
Change 247812 and Change 248034: Added support for plugins to block WorkQueue tasks without depriving other tasks of a thread.
Introduces a
TaskParker
interface allowing selective task parking to control resource usage by deprioritizing certain tasks without blocking other tasks from using resources.Tasks blocked from running by
TaskParker
implementations show their state asparked
. -
Change 425478: Support multiple parents in the
Get Patch
API.Now the “Get Patch” API can handle a new
parent
flag to select which parent to use to generate the patch. -
Change 426018: Added highlight support for the
epp
language. -
Change 425804: Added REST API endpoint for creating project config change.
Similar to the
access:review
endpoint, this allows creating a change for project configuration updates via REST API byPUT /projects/myproject/config:review
. -
Change 425805: Added REST API endpoint for creating a change for labels update.
Allows CRUD operations on multiple label definitions in this project at once by
POST /projects/myproject/labels:review
. -
Change 425806: Added REST API endpoints for batch updating submit requirements.
Introduced two new endpoints for updating submit requirements. One for updating without a review:
POST /projects/myproject/submit_requirements/
Another for creating a change for the update:POST /projects/myproject/submit_requirements:review
. -
Change 425525: Added API option to apply patches that conflict.
POST /changes/{change-id}/patch:apply
now takes a payload that allows an optionalallow_conflicts
field, to tolerate conflicts and add conflict markers where required. -
Change 425807: Added a new config for protecting project config from unreviewed updates.
When
gerrit.requireChangeForConfigUpdate
is set totrue
, all attempts to update a project config directly using any REST API are rejected. Instead, users should always use APIs which create a config change (for review). -
Change 425808:
Save for review
button was added into the project config page.When
gerrit.requireChangeForConfigUpdate
is set totrue
a newSave for review
is added to the project config page. -
Change 429017: Introduce
@DynamicItem.Final
for allowing immutable dynamic bindings of interfaces to implementations in other plugins. -
Change 429823: Add
TRIVIAL_REBASE_WITH_MESSAGE_UPDATE
ChangeKind to allow automatic vote copy in this case.Introduce a new ChangeKind type representing a conflict-free merge between the new parent and the prior patch set but having a commit message update.
-
Change 439642: Report number of documents in the indexes REST API.
This can be useful to observe index size, especially while a new index version is being created.
-
Change 438704:
LockManager
as an extension point.Provides a mechanism for global locks in distributed setups. This allows implementing global locking beyond project creation, such as ensuring only one Gerrit server runs certain tasks at a time (e.g. aut-abandoning, git-gc, account-deactivation and so forth).
-
Change 439124: Allow applying fixes to different patchsets.
The
Apply Provided Fix
API now supports applying fixes to older patchsets, enabling users to apply fixes not just to the current patchset. -
Change 438424: Add support for
Vue
code highlighting. -
Change 437343: Added screen to browse the server info.
Users can find important properties of the server listed in a new server info page.
-
Change 436218: Added extension point that allows plugins to provide server metadata.
-
Change 436318: Allow admins to get the account state of other users via REST API.
-
Issue 435999: Add method
resolveExactIgnoreVisibility
forAccountResolver
.This method can be used by plugins to be able to Ignore Visibility when doing exact resolving of an account.
-
Change 435937: Added extension point that allows plugins to provide account state metadata.
Provide an extension point that enables plugins to supply additional data for account states which are returned from the
Get Account State
REST endpoint. -
Change 435819: Added REST endpoint to retrieve the account state with a single request.
The new
GET /accounts/link:#account-id/self/state
can now be used Retrieves the superset of all information related to an account, including its permissions. -
Change 435559: For users that have the ‘View Access’ global capability return ACL info when request is rejected due to a permission issue.
-
Change 435017: Plugin provided
change-metadata-items
can be placed abovesubmit-requirements
.With this change, plugins can choose to place items above the submit requirements.
-
Change 433022: Added support for configurable performance metrics.
A new
performance.metric
configuration section can be used ingerrit.config
to specify operations for latency and count recording in performance metrics. This is useful to identify slow operations and assess the impact of optimizations. -
Change 431638: Added metric to count rejected pushes.
The new
receivecommits/reject_count
set of metrics count the number of rejected pushes. They are suffixed with the push kind (eitherdirect
, for direct pushes, ormagic
, for pushes to magic refs) and with the reason of the rejection (e.g.branch_not_found
,no_new_changes
, and so forth), for example:receivecommits_reject_count_magic_branch_for_main_not_found
,receivecommits_reject_count_direct_prohibited_by_Gerrit:_not_permitted:_create
. -
Issue 321784728: Add support for using subsections in
passwd
.Fixes a bug whereby the
java -jar bin/gerrit.war passwd
program couldn’t be used to set a subsection config, such asremote.instance.username
. -
Change 442063: Support enabling
WANT_LGTM=all
via submit requirements -
Change 442084: Allow to run periodic group reindexing also on Gerrit primary server.
-
Change 442065: New configuration style for period indexers
Deprecate
index.scheduledIndexer
configuration in favor ofscheduledIndexer.groups
to support explicit indexing groups and future reindexing configurations for other indexes. Both configuration styles are supported, but the former is deprecated. -
Change 442105: Allow to schedule periodic project reindexing
This may be useful in high-availability scenarios where each primary maintains its own index. For example, if messages between the primaries are not delivered due to prolonged downtime of one of the primaries the projects index will become consistent again on the next run of the periodic project indexer. This is currently supported only for
projects
andgroups
indexes. -
Change 444041: Enable highlighting for nix
Performance improvements
-
Change 422522: Avoid double loading of change notes when retrieving change without specifying a meta rev ID.
-
Change 426537: Improve performance of changes queries when using the custom permission backends.
The virtual host module, or other permissions backends, can potentially restrict the visibility of users to a limited set of projects or changes.
-
Issue 365254275: Don’t sync bulk actions details for anonymous user.
This change effectively reduces potential system load and improves overall performance by preventing anonymous users calls from loading unnecessary data.
Bug fixes
-
Change 422518: Record duration of performance events in nanos (instead of in millis).
Performance events shorter than
1ms
were being recorded with a duration of0ms
, causing them to be invisible on performance charts and making it unclear whether they were executed or just too fast to be displayed. -
Change 422039: Fix Cloud Spanner error codes for AccountPatchReviewStore.
-
Change 429801: Fix evaluation of extra query provided by a permission backend.
-
Change 430917: Allow Gerrit to open more than 10240 file descriptors on MacOS.
-
Change 438861: Fixed ls-projects to skip corrupted repositories.
The
ls-projects
command now logs an error and continues processing other projects if aMissingObjectException
occurs due to a corrupted Git repository, rather than stopping execution entirely. -
Change 437821: Fixed
GET /auth-check.svg
error. -
Change 436057: Fixed exception in GetMessage REST endpoint when the change contained multiple footers with the same key.
Only the last footer for any footer key is now returned.
-
Change 435938:
AccountResolver:resolveExact
can now resolve accounts for usernames.AccountResolver:resolveExact
now supports resolving accounts by exact username matches, avoiding unintended results from fuzzy matching. -
Change 434177: Disallowed ref creation when passed object is neither Commit nor a Tag.
Restrict ref creation to only
Commit
orTag
objects, preventing unintended ref creation for unsupported object types. -
Change 441202: Fixed change email threading in Microsoft clients.
-
Change 442621: Respect project config and user preference for creating changes as work-in-progress by default for the Revert REST endpoint.
Frontend changes
-
Change 425037:
gr-watched-projects-editor
: improve unsaved changes detection. -
Change 425038:
gr-email-editor
: improve unsaved changes detection. -
Change 425857: Made navbar mobile responsive in
gr-main-header
. -
Change 430619: TypeScript API: fix PluginApi exposed type from HTMLElement to PluginElement.
-
Change 437561: Added new
formatted-text-endpoint
plugin endpoint. -
Change 442601:
gr-create-change-dialog
: Give more width to messageInput (Description)
Other Changes
-
Change 418578: Make
Service Users
group that is created on init visible to all users. -
Change 420064: Disallow removing votes from merged changes by removing reviewers.
-
Change 420065: Disallowed removing votes from merged changes.
-
Change 421177: Do not grant
Revert
permission toRegistered Users
by default.Note,
Registered Users
can still revert changes via git push, just not via the web UI. -
Change 421141: Do not grant
direct
push permission by default. -
Change 427077: Support
refs/heads/...
as rebase base. -
Change 427778: Fixed updating an existing edit via push.
Resolved an issue where attempting to update an existing edit via push was rejected due to non-fast-forward updates being disallowed.
-
Issue 341288175: Ignore global ACLs query limit for internal user.
-
Change 431080: Include
replication-api.jar
inrelease.war
.Ensures all core plugins, including API jars, are packaged in the
release.war
, enabling cross-plugin communication via core plugin APIs. -
Change 441562: Allow passing build arguments to generated API scripts.
-
Change 442062: Added sample ref-updated hook to repack repositories geometrically.
-
Change 442104: Update attention set behaviour when commenting on a thread.
Refine how participants are notified when a comment is added, ensuring that the right people are re-engaged based on their review status and the thread’s resolution state.
Documentation changes
-
Change 439141: Fix
Label
documentation mentioningfunction = MaxWithBlock
.Instead describe how to define a corresponding submit requirement.
-
Change 439361: Document
--reuse
option of the offlinereindex
command.
Plugin changes
-
codemirror-editor updated to
e5e9ece112242397f000660c6cee8f5053ca5da5
git log --no-merges --abbrev-commit --oneline 06719abee6c38d17008599f074050db5153bffa3..e5e9ece112242397f000660c6cee8f5053ca5da5
Notable changes are:
e5e9ece
Added missing Vue dependencybf8ac0b
Added Vue language supportcddb6d8
Show Line Length Indicator at 72 Characters for Commit Messages
-
hooks updated to
4f43f5db6b8aa7f36381f4f9a4c9ec1fc335d949
:git log --no-merges --abbrev-commit --format=oneline f975f914312b258f84957d19f96014c3edd12644..4f43f5db6b8aa7f36381f4f9a4c9ec1fc335d949
Notable changes are:
-
4f43f5d
Print hook stdout/stderr in case of a non-zero exit code:Hook output is now printed when a non-zero exit code occurs, providing error details without requiring DEBUG logging level.
-
41c3ad1
Resolve relative hooks.path against $site_path, not cwd of the processRelative paths for
hooks.path
are now resolved against$site_path
instead of the process’s working directory, ensuring consistent path resolution.
-
-
plugin-manager updated to
86f7ec61a9785df246f653a1336520b9607399b1
:git log --no-merges --abbrev-commit --format=oneline cdd2d2d69666a70a16ac02bacf8e7fbbf4ca9979..86f7ec61a9785df246f653a1336520b9607399b1
Notable changes are:
86f7ec6
Add replication-api to the list of core plugins53d615a
Avoid work in Optional.orElse() callsc67b626
zuul: Fix test dependency on release.war
-
replication updated to
0af31d2a5df62329162a750beec2e9dc0adf8e72
:git log --no-merges --abbrev-commit --format=oneline 445cd037108a9ad478c187aeb31cb14a8e889a0f..0af31d2a5df62329162a750beec2e9dc0adf8e72
Notable changes are:
-
0af31d2
Fix PushOne toString() to show the right refs and hidden number -
660fcd4
Destination: use striped lock to reduce lock contention.Optimized replication throughput by implementing striped locks in the Destination to reduce lock contention across repositories.
-
3982574
Fix FanoutConfigurationResource update API:This fixes issue 351843807 where Gerrit changes were no longer syncing to
Github
. -
eac5d4e
Delay the fetching of credentials until push time:Improved replication reliability by delaying credential fetching until push time, allowing dynamically reloaded credentials to be applied even for retried replication tasks.
-
69c66c8
Improve FanoutConfigurationResource loading performance:Enhanced loading performance of replication remotes as individual files (under
$GERRIT_SITE/etc/replication
) by optimizing remote parsing and merging logic, reducing load times for large configurations. -
69c0c4d
FanoutConfigResourceTest: assert configuration updates being visible:Fixed an issue where updates to remote configurations persisted on disk but left an outdated in-memory copy, ensuring in-memory consistency after updates.
-
6b4bc77
Fix updating replication credentials using te ReplicationRemotesApiFixed an issue where updated replication credentials were incorrectly saved to
replication.config
instead ofSecureStore
. -
cc32fe2
Prevent replication plugin start with invalid remotes: See Breaking changes -
d1ad7d5
Use SecureStore to access replication credentials:See Breaking changes
-
89fc47e
Introduce API for retrieving the remote config:Extended ReplicationRemotesApi to support retrieving configurations for multiple replication remotes.
-
16ccc30
Allow to update base/override remote configs from MergedConfigResource:Added a method to update base or override remote configurations in a single call, building on the API for updating replication configurations from other plugins.
-
Other dependency changes
- Change 388173:
Update
gson
to2.10.1
- Issue 317770593:
Update
com.google.auto:auto-common
to1.2.2
- Change 438881:
Update
SSHD
to2.14.0
- Issue 359613380:
Update
bouncycastle
to1.74
- Issue 355451185:
Update
asm
version to9.7